[Infowarrior] - Amit Yoran: Strong encryption is vital to our future in tech

[Richard Forno]

Strong encryption is vital to our future in tech

By Amit Yoran, opinion contributor — 01/24/18 04:31 PM EST 0

http://thehill.com/opinion/cybersecurity/370574-strong-encryption-is-vital-to-our-future-in-tech

Don’t be fooled by recent proposals — anyone who understands how technology works knows that “back doors” aren’t the answer.

This month marked yet another shot across the bow from U.S. Department of Justice officials targeting strong encryption. At the International Conference on Cyber Security, FBI Director Christopher Wray described the inability of law enforcement authorities to access data from electronic devices as an “urgent public safety issue.” This follows Deputy Attorney General Rod Rosenstein’s recent proposal for so-called “responsible encryption.” Don’t be fooled — no matter what wording the DOJ conjures up to try and sell the idea, it’s a back door.

Despite the flawed logic in such proposals, the concept continues to gain steam, with more and more policymakers and administration officials calling for weakened and breakable encryption. Following the mass shootings in Texas in early November, Sen. Dianne Feinstein (D-Calif.) suggested that it was time to bring back legislation that she introduced along with Sen. Richard Burr (R-N.C.) in 2016 that would effectively ban strong encryption as it exists today.
 

Back doors aren’t the answer

While these proposals may sound well-intentioned, in reality they are anything but responsible. This approach to encryption policy would betray U.S. security and economic interests. For that reason, it’s time  to review again why back doors are just plain backward thinking:

First, strong cryptography is a foundational building block for good cybersecurity. According to the U.S. National Intelligence Estimate, cybersecurity is the single greatest threat to the United States. The greatest challenge that exists in maintaining effective operational security lies in implementation. Compromises of even the most sensitive and well-protected systems occur on a regular basis. Remember, there are many more breaches than just the ones that we see on the news. Back doors only increase system complexity, which creates additional risk. What’s more, whoever possesses the capability to access encrypted data then becomes a greater target. Safeguarding that access would require exceptional security capabilities that the government and many corporations simply have not demonstrated thus far.

Weakened encryption is a competitive disadvantage 

Requiring U.S. technology companies to add back doors accessible by the U.S. government would also put those firms at a significant competitive disadvantage against foreign competitors. Such a policy would also serve to erode trust for U.S. companies in overseas markets. Why would a foreign firm or government buy products from U.S. companies with the full knowledge that their sensitive data is accessible by the U.S. government and possibly others who would compromise the system? As Senator Mark Warner (D-VA) recently noted, “a one-country-only solution simply pushes the bad guys onto foreign-based hardware and software.” There are plenty of foreign competitors willing to serve those businesses and provide them with strong encryption.

Compromising encryption among U.S. companies will not necessarily result in better visibility into the activities of criminal actors, and certainly not the ones that pose the greatest threat to public safety. After all, restricting encryption technology in the U.S. will not make those technologies or known methods unavailable. Sophisticated adversaries and criminals will just create and buy encrypted devices abroad. Terrorists will also use non-backdoored encryption they already have access to. Moreover, it’s highly unlikely that any credible terrorist or foreign intelligence service would ever use technology that was knowingly weakened or that U.S. intelligence or law enforcement agencies have access to. 

Training the good guys

And finally, it must be said: Law enforcement already has access to an astounding amount of data that could be used to solve crimes. In fact, the majority of the content we produce or interact with on a daily basis is readily available through proper legal channels. At a minimum, sophisticated law enforcement agencies need more robust technical training and should work to develop the same skills that hackers use every day to access computer systems. Either of these approaches is more palatable than requiring technology companies to build a back door and roll out the welcome mat for all manner of cyber criminals.

While we appreciate the work of the law enforcement community and sympathize with their mission, there is a reason why the entirety of the cryptographic, cybersecurity and tech communities have been unequivocal in their perspective on this issue. Encryption protects the security of people worldwide, and we know from experience that any unnecessary access creates unnecessary risk. Therefore, the only “responsible” approach is to preserve good encryption and push back against ill-informed proposals advocating a parochial position based on a myopic lens.

Amit Yoran is chairman and CEO of Tenable, overseeing the company’s strategic vision and direction. Prior to joining Tenable, Amit was president of RSA, where he led their growth and strategy since 2014. Amit came to RSA through the acquisition of his high-growth company, NetWitness, a network forensic product provider. Previously, he served as founding director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security.